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Abstract 

Polynomial remainder codes are a large class of codes derived from the Chinese re- 
mainder theorem that includes Reed-Solomon codes as a special case. In this paper, we 
revisit these codes and study them more carefully than in previous work. We explicitly 
allow the code symbols to be polynomials of different degrees, which leads to two different 
notions of weight and distance. 

Algebraic decoding is studied in detail. If the moduli are not irreducible, the notion 
of an error locator polynomial is replaced by an error factor polynomial. We then obtain 
a collection of gcd-based decoding algorithms, some of which are not quite standard even 
when specialized to Reed-Solomon codes. 

Index Terms — Chinese remainder theorem, redundant residue codes, polynomial re- 
mainder codes, Reed-Solomon codes, polynomial interpolation. 



1 Introduction 

Polynomial remainder codes are a large class of codes derived from the Chinese remainder 
theorem. Such codes were proposed by Stone j2], who also pointed out that these codes 
include Reed-Solomon codes [3] as a special case. Variations of Stone's codes were studied 
in (4]-[6). In |2] and the focus is on codes with a fixed symbol size, i.e., the moduli 
are relatively prime polynomials of the same degree. A generalization of such codes was 
proposed by Mandelbaum [H] , who also pointed out that using moduli of different degrees 
can be advantageous for burst error correction [6). 

Although the codes in [2]j4j^6] can, in principle, correct many random errors, no efficient 
decoding algorithm for random errors was proposed in these papers. In 1988, Shiozaki (7| 
proposed an efficient decoding algorithm for Stone's codes [2] using Euclid's algorithm, and 
he also adapted this algorithm to decode Reed-Solomon codes. However, the algorithm 
of [7j is restricted to codes with a fixed symbol size, i.e., fixed-degree moduli. Moreover, 

A preliminary version of this work was presented in part in 111. 
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the argument given in [7] seems to assume that all the moduli are irreducible although 
this assumption is not stated explicitly. 

In [§] , Mandelbaum made the interesting observation that polynomial remainder codes 
(generalized as in (5l) contain Goppa codes |9] as a special case. By means of this observa- 



tion, generalized versions of Goppa codes such as in 10 may also be viewed as polynomial 
remainder codes. In subsequent work [11,12 , Mandelbaum actually used the term "gen- 
eralized Goppa codes" for (generalized) polynomial remainder codes. He also proposed a 



decoding algorithm for such codes using a continued-fractions approach 11,12 . However 



this connection between (generalized) polynomial remainder codes and Goppa codes will 
not be further pursued in this paper. 



There is also a body of work on Chinese remainder codes over integers, cf. 13, 14 
However, the results of the present paper are not directly related to that work. 

In this paper, we revisit polynomial remainder codes as in pi. We explicitly allow 
moduli of different degrees (i.e., variable symbol sizes) within a codeword. In this way, we 
can, e.g., lengthen a Reed-Solomon code by adding some higher-degree symbols without 
increasing the size of the underlying field. In consequence, we obtain two different notions 
of distance — Hamming distance and degree-weighted distance — and the corresponding 
minimum-distance decoding rules. Algebraic decoding as in [7] is studied in detail. If the 
moduli are not irreducible, the notion of an error locator polynomial is replaced by an 
error factor polynomial. We then obtain a collection of gcd-based decoding algorithms, 
some of which are not quite standard even when specialized to Reed-Solomon codes. 

This paper is organized as follows. In Section |2j we recall the Chinese remainder 
theorem and the definition of Chinese remainder codes over integers and polynomials. 
We also discuss erasures-only decoding, i.e., the recovery of a codeword from a subset 
of its symbols, for which we propose a method that appears to be new. In Section [3j 
we focus on polynomial remainder codes and their minimum-distance decoding, both 
for Hamming distance and degree-weighted distance. In Section |4j we introduce error 
locator polynomials and error factor polynomials and a key equation for the latter. In 
Section [5j we derive gcd-based decoding algorithms. A synopsis of these algorithms is 
given in Section 5.4, and their relation to prior work is discussed in Section 5.5 Section [6] 
concludes the paper. 

The cardinality of a set S will be denoted by \S\ and the absolute value of an integer 
n will be denoted by |n|. In Section 2.2, this same symbol will also be used for the degree 
of a polynomial, i.e., \a(x) \ — dega(x). 



2 Chinese Remainder Codes 

2.1 Chinese Remainder Theorem and Codes 

Let R = Z or R = F[x] for some field F. (Later on, we will focus on R = F[x].) For 
R = Z, for any positive m e Z, let R m denote the ring {0, 1, 2, . . . , m — 1} with addition 
and multiplication modulo m; for R = F[x], for any monic polynomial m(x) G F[x], let 
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R m denote the ring of polynomials over F of degree less than degm(x) with addition and 
multiplication modulo m(x). For R = Z, gcd(a,6) denotes the greatest common divisor 
of a, b G Z, not both zero; for i? = F[x], gcd(a, b) denotes the monic polynomial of largest 
degree that divides both a, b G not both zero. 

We will need the Chinese remainder theorem [2] in the following form. 

Theorem 1 (Chinese Remainder Theorem). For some integer n > 1, let 
mo,mi,...,m n _i G i? be relatively prime (i.e., gcd(mj, 7%) = 1 for i 7^ j) and let 
M n — YYi=o m i- Then the mapping 

: i?M„ ->■ -Rm x ... x i? mn _ 1 : a H> ^(a) = (-00 (a), • • • , ^n-i(a)) (1) 

with ipi(a) = a mod is a ring isomorphism. 
The inverse of the mapping Q is 



n-l 



■0 1 : -R mo x ... x -R m „_ 1 ->■ i?M„ : (c , . . . , c n _i) h-> ^ mod M n (2) 

i=0 

with coefficients 

where (b)' modm . denotes the inverse of b in R mv □ 

Definition 1. A Chinese remainder code (CRT Code) over R is a set of the form 

C = {(co, . . . , c n _i) : Q = a mod r?ij for some a G -Rm^} (4) 

where n and are integers satisfying 1 < fc < n, where mo,ffii,...,m n -i G i? are 
relatively prime, and where = ^=0 m «- ^ 

In other words, a CRT code consists of the images ip(a), with ip as in (Jl]), of all a G i?M fc - 
For i? = F[x], CRT codes are linear (i.e., vector spaces) over F; for R — Z, however, 
CRT codes are not linear since the pre-image of the sum of two codewords may exceed 
the range of M^. 

The components q = ^(a) in Q and Q will be called symbols. Note that each symbol 
is from a different ring R mi ; these rings need not have the same number of elements. We 
will often (but not always) assume that the moduli m 8 in Definition [I] satisfy the condition 

\Rm \ < I-Rmj < ••• < |-Rm n _J- (5) 

We will refer to ^ as the Ordered-Symbol-Size Condition. 
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2.2 Interpolation 

Consider the problem of reconstructing a codeword c = (c , . . . , c n _i) from a subset of 
its symbols. Specifically, let C be a CRT code as in Definition [T] and let S be a subset 
of {0, 1, 2, . . . , n — 1} with cardinality 151 > 0. Let c = (c , . . . , c n _i) = ^(a) G C be the 
codeword corresponding to some a G i?A4 by Q. Suppose we are given c = (co, . . . c„_i) 
with 

Cj = c, for i G 5 (6) 

(and with arbitrary c, G i? mi for % (jL S) and we wish to reconstruct a = V ; ~ 1 (c) from c. 
This problem arises, for example, when the channel erases some symbols (and lets the 
receiver know the erased positions) but delivers the other symbols unchanged. However, 
this problem also arises as the last step in the decoding procedures that will be discussed 
later in the paper. 

This interpolation problem can certainly be solved if S is sufficiently large. A first so- 
lution follows immediately from the CRT (Theorem 1). Specifically, with Ms — Ylies mi ^ 
Theorem [T] can be applied as follows: if 



|M S | > \M k \ (7) 



then 



with 

A 



n-1 



2J Cifc mod M s 



i=0 



Ms . ( Ms\ 1 ,• c Q 

m * \ m J modm / fc (9) 
3, i # S. 



Obviously, the coefficients in (|9j) depend on the support set S. Interestingly, there 
is a second solution to the interpolation problem that avoids the computation of these 
coefficients: the following theorem shows how a = ip~ l {c) can be computed from ^ _1 (c), 
which in turn may be computed using the fixed coefficients ([3]). 

Theorem 2 (Fixed- Transform Interpolation). If 

\M S \ > \M k \ (10) 



then 

where M-g — M n /Ms and where 



r\c) = Z/Ms (11) 



Z = (Mg ■ ^ -1 (c)) mod M n (12) 
is a multiple of Mg. □ 
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This theorem does not appear in standard expositions of the CRT; perhaps it is new. Its 
application to coding, even to Reed-Solomon codes (cf. Section 3.3), also appears to be 
new. 

Proof of Theorem [2J Let c = c — c, let a = ^ _1 (c), and note that if)~ l {c) = 
(a — a) mod M n . Note also that \Mg ■ a\ < \M n \ because of (10). Then 

Z = (Mg- (a -a)) modM n 
= Ms- a - (A% • a) mod M n 



Mg-a 



where the last step follows from 



= 0. 



(13) 
(14) 
(15) 

(16) 

(17) 
□ 



2.3 Hamming Distance and Singleton Bound 

For any a G Rm„, the Hamming weight of if) (a) (i.e., the number of nonzero symbols 
ipi(a), < i < n — 1) will be denoted by wn(^(a)). For any a,b G Ru n , the Hamming 
distance between if) (a) and ip{b) will be denoted by dn(ip(a),ip(b)) — w^(i[)(a) — ip{b)). 
The minimum Hamming distance of a CRT code C will be denoted by d m i n H(C). 

Theorem 3. Let C be a CRT code as in Definition [T] satisfying the Ordered- Symbol- 
Size Condition (|5]). Then the Hamming weight of any nonzero codeword if) (a) (a G Rm U i 
a ^ 0) satisfies 

w H (V>(a)) > n ~ k + 1 (18) 

and 

d min H(C) =n — k + l. (19) 

□ 

Proof: For any nonzero a G Rm u , assume that the image ip(a) has Hamming weight 
Wft(ip(a)) < n — k, i.e., the number of zero symbols of if) (a) is at least k. For R — Z, 
this implies a > M^, for R = F[x], this implies dega > degM^. In both cases, a G" RM k , 



which proves (18) 



As for (19), consider dn(ip(a), ip(b)) for any a, b G Ru k -, a ^ b. For R = F[x], 
a — b G Ru h and thus 

d H (V(a), ^(6)) = w H (V(a) - (20) 

= w H (V>(a-6)) (21) 

> n - k + 1 (22) 



by (18). For R = Z, either a — 6 G i?M fc or b — a G -Ra^ and the same argument applies. It 



follows that d m i n H(C) > n — k + 1. Finally, the equality in (19) follows from the Singleton 



bound below. □ 
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In the following theorem, we will use the following notation. For any subset S C 
{0,1,..., n- 1}, let S = {0,1,..., n - 1} \S and let 

Rs^QRmi, (23) 

i£S 

the direct product of all rings R mi with i £ S. 

Theorem 4 (Singleton Bound for Hamming Distance). Let C be a code in 
R{o,...,n~i} (i-e., a nonempty subset of R mo x ■ • • x i? mn _ 1 ) with minimum Hamming distance 
d minH . Then 

|C| < min {|fl s | : |5| > n - d minH }. (24) 



Sc{0,l,...,n-1} 



□ 



Note that this theorem does not require the Ordered-Symbol-Size Condition (|5]). 

Proof: Let S be a subset of {0, 1, . . . , n — 1} with \S\ < d min H- For every word c £ C, 
erase its components in S. The resulting set of shortened words, which are elements of 
Rs, has still |C| elements. □ 

For CRT codes satisfying the Ordered-Symbol-Size Condition (|5|, we have \C\ = 
|.RmJ; on the other hand, the right-hand side of (24) becomes 



-R{0,...,n-d minH }l - \R-M n _ d „ +x | (25) 



where M n _ dminII+1 = ULo^ m i- lt then follows from H that I^mJ < |^M„_ dminII+1 1 
and thus 

k<n~ d minH + 1. (26) 

3 Polynomial Remainder Codes 

From now on, we will focus on the case R = F[x] for some finite field F. 
3.1 Definition and Some Examples 

Definition 2. A polynomial remainder code is a CRT code over R = F[x] with monic 
moduli rrii(x), i.e., a set of the form 

C = {(c , . . . , c„_i) : Q = a(x) mod mj(:r) for some a(x) £ -RA/ fc }- (27) 

A polynomial remainder code is irreducible if the polynomials itlq(x), . . . , m n -i(x) are all 
irreducible [l]. □ 
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For such codes, the Ordered-Symbol-Size Condition ^ may be written as 

degm (a;) < degmi(a;) < . . . < degm n _i(x), (28) 
which we will call the Ordered- Degree Condition. 

Example 1 (Binary Irreducible Polynomial Remainder Codes). Let F = GF(2) 
be the finite field with two elements and let mo(i), . . . ,m n _i(x) be different irreducible 
binary polynomials. 

The number of irreducible binary polynomials of degree up to 16 is given in Ap- 
pendix A. For example, by using only irreducible moduli of degree 16, we can obtain a 
code with degM n (x) = 4080; by using irreducible moduli of degree up to 16, we can 
achieve degM n (x) = 130'486. □ 

Example 2 (Polynomial Evaluation Codes and Reed-Solomon Codes). Let 

(3 , /3 n _i be distinct elements of some finite field F (which implies n < \F\). A poly- 

nomial evaluation code over F is a code of the form 

C — {(co, . . . , c n _i) : Ci = a((3i) for some a{x) G F[x] of dega(x) < k). (29) 

A Reed-Solomon code is a polynomial evaluation code with = a*, where a is a primitive 
n-th root of unity in F. With 

mi(x) = x - fa, (30) 
a polynomial evaluation code may be viewed as a polynomial remainder code since 

Cj = a((3i) = a(x) mod m,i(x). (31) 

For Reed-Solomon codes (as defined above), we then have 

Mjx) = x n -l. (32) 

□ 

Example 3 (Polynomial Extensions of Reed-Solomon Codes). When Reed- 
Solomon codes are viewed as polynomial remainder codes as in Example [2j the code 
symbols are constants, i.e., polynomials of degree at most zero. Reed-Solomon codes can 
be extended with additional symbols in F[x] by adding some moduli rriiix) of degree two 
(or higher). □ 

3.2 Degree-weighted Distance 

Let 

n-l 

iV = degM n (x) = ^degmj(x) (33) 



i=0 
k-1 



and 

K = degM k (x) = ^degmi(x). (34) 



Note that K is the dimension of the code as a subspace of F . 



i=0 

N 
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Definition 3. The degree weight of a set S C {0, 1, . . . , n — 1} is 

w d(S0 = ^degmi(x). (35) 

ies 

For any a(x) G -Rm„, the degree weight of — {ipo( a ), ■ ■ ■ > VV-iXa)) is 

w B (i[)(a)) = 22 de § m *> ( 36 ) 

and for any a(x),b(x) e i?M„, the degree-weighted distance between ^(a) and ip{b) is 

d D (V>(o),V(6)) = w D (V(fl)-V(6))- (37) 

□ 

Note that the degree-weighted distance satisfies the triangle inequality: 

d D (^(a),V(6)) <d D (V>(fl),V(c))+d D (V(6),^(c)) (38) 

for all a(x), 6(x), c(x) G i?Af n - 

Let d m i n D(C) denote the minimum degree-weighted distance of a polynomial remainder 
code C, i.e., 

d m inD(C) = min d D (c,c'), (39) 

and let 

w m i nD (C) = min w D (c) (40) 

cGC/: c^O 

be the minimum degree weight of any nonzero codeword. We then have the following 
analog of Theorem [3] 

Theorem 5 (Minimum Degree- Weighted Distance). Let C be a code as in Defi- 
nition [21 Then 

d min D(C) = w minD (C) (41) 

= min \w D (S) : w D (S) > N - K\ (42) 
St{0,...,n-1} J 

> N-K. (43) 

□ 



If all moduli mj(x) have degree one, then the right-hand side of (42) equals iV — if + 1 



Note also that unlike Theorem [3j Theorem [5] does not require the Ordered-Degree Con- 



dition (28). 
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Proof: Equation (41) is obvious from the linearity of the code over F, and (43) is 



obvious as well. It remains to prove (42). 



Let d be the right-hand side of (42). For any nonzero a(x) G Rmui assume that the 
image if) (a) has degree weight wd(^i(o)) < N — K, i.e., the sum of degmj(x) over the zero 
symbols of if) (a) is at least K. Then dega(x) > K = degMfc(x), which is impossible since 
a(x) G Ru k - We thus have wr>(ip(a)) > N — K. It then follows from Definition [3] that 
wji{ifj{a)) > d and thus w m i n D(C) > d. 

Conversely, let S be a subset of {0, 1, . . . , n — 1} such that wd(S') = d. Then there 
exists some nonzero a{x) G Ru k such that ipi(a) ^ for each i G S but if)j(a) = for each 
j G {0, 1, . . . , n — 1} \ S. Thus wd(V , (°)) = Wd(5) = d, which implies w minD (C) < d. □ 

Theorem 6 (Singleton Bound for Degree- weighted Distance). Let C be a nonempty 
subset of R mo x • • • x R m , n _ 1 with minimum degree- weighted distance d m i n D and with N 



as in (33). Then 



log F \C\ < min {w D (5) : w D (S) > N - d minD }. 

5c{0,...,n-l} 



(44) 
□ 



Proof: Recall the notation S and Rs as in (23). Let S be a subset of {0, 1, . . . , n — 1} 



with w-d(S) < d minD . For every word c G C, erase its components in S. The resulting set 
of shortened words, which are elements of Rs, has still \C\ elements. Thus \C\ < \Rs\ — 
\F\ W ^ S \ and Jil follows. □ 



For polynomial remainder codes, we have log F \C\ = K and (44) holds with equality. 



To see this, we first write (44) as 



K < min {w D (S') :w D (5) > N - d minD }. 

5c{0,...,n-l} 



(45) 



On the other hand, for S = {0, 



k — 1}, we have wd(S) = K, and using (43), we obtain 

(46) 



min {w D (S) : w D (S) > N - d minD } < K 

Sc{0,...,n-1} 



We thus have equality in (45) and (46), and therefore also in (44) 



In the special case where all the moduli mo(x), . . . , m n _i(x) have the same degree, the 



two Singleton bounds (44) and (24) are equivalent. 



3.3 Interpolation and Erasures Decoding 



We now return to the subject of Section 2J2 and specialize it to polynomial remainder 
codes. Let C be a code as in Definition [2 Let c = (c , . . . ,c n _i) = if)(a(x)) G C be the 
codeword corresponding to some polynomial a(x) G R.M k - Let S be a set of positions 
i G {0, . . . , n — 1} where q is known. Let c = (c , . . . , c n _i) satisfy q = q for i G S with 
arbitrary q G i? mj for i ^ S. Suppose we wish to reconstruct a(x) from c and S. 

Let 5 = {0, . . . , n — 1} \ S be the indices of the unknown components of c and let 

Recall that w D (S') denotes the degree weight of 



Y[i£s m i( x ) as i n Section 



2.2 



the unknown (erased) components of c. Then Theorem \2\ can be restated as follows: 
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Theorem 7 (Fixed- Transform Interpolation for Polynomial Remainder Codes). 
If 

w D (S)<N-K, (47) 



then 
with 



a(x) = Z(x)/M- S (x) 
Z(x) = Ms(x)ip-\c) mod M n (x) 



(4* 



(49) 
□ 



The equivalence of (47) and (10) follows from noting that the left-hand side of (10) is 
| Ms | = iV — wd (S) and the right-hand side of Q is \M k \ = K. 

Since S contains the support set of c — c, the polynomial A%(x) is a multiple of an 
error locator polynomial (as will be defined in Section [4]). 

In contrast to most other statements in this paper, Theorem [7] appears to be new even 
when specialized to Reed-Solomon codes (as in Example [2j, where M n (x) = x n — 1 and 
the modulo operation in (49) is computationally trivial. 



3.4 Minimum-Distance Decoding 

Let C be a code as in Definition [2] The receiver sees y = c + e, where c G C is the 
transmitted codeword and e is an error pattern. A minimum Hamming distance decoder 
is a decoder that produces 

c = argmin dn(c, y). (50) 
A minimum degree-weighted distance decoder is a decoder that produces 

c = argmin do(c, y). 

c&C 



(51) 



In general, the decoding rules (50) and (51) produce different estimates c as will be 
illustrated by the examples below. 

Theorem 8 (Basic Error Correction Bounds). If d#(c,y) < d min H(C)/2, then the 
rule (50) produces c = c. If dn(c,y) < d min D(C)/2, then the rule (51) produces c = c. □ 

Proof: The proof follows the standard pattern; we prove only the second part. Assume 
c ^ c, which implies dn(c, y) < do{c,y). Using the triangle inequality (38), we obtain 
d min D(C) < d D (c, c) < d D (c, y) + d D (c, y) < 2d D (c, y). □ 



The second part of Theorem [8] can also be formulated as follows: if 

N-K 

w D (e) < t D 



(52) 
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then the rule (51) produces c = c. If the Ordered-Degree Condition (28) is satisfied, then 



the first part of Theorem [8] implies the following: if 

n — k 

w H (e) < ti 



(53) 



then the rule (50) produces c = c. 



Depending on the degrees degm^x), it is possible that the condition wn(e) < tn 
implies wo(e) < to (see Example [5] below). In general, however, none of the two decoding 
rules (50) and (51) is uniformly stronger than the other. 



Example 4. Let k = 3 and n = 5, and let degmj(x) = % for i = 1, 2, . . . , 5. We then have 
tn = 1, K = 6, N = 15, and tpj = 4. Consider the following two decoders: Decoder A 
corrects all errors with wn(e) < tn and Decoder B corrects all errors with wo(e) < to- 
We then observe: 

• Decoder A corrects all single symbol errors in any position. 

• Decoder B corrects all single symbol errors in the first 4 symbols (but not in po- 
sition 5), and it corrects two symbol errors in positions 1 and 2, or in positions 1 
and 3. 

□ 



Example 5. Let k = 3 and n = 5, and let degmi(x) = deg 7712(0;) 
and degm 4 (x) = deg m^x) = 2. We then have tn = 1, K = 3, N 
Considering the same decoders as in Example |4l we observe: 

• Decoder A corrects all single symbol errors in any position. 



degm 3 (x) 
7, and to 



: 1 

2. 



Decoder B also corrects all single symbol errors, and in addition, it corrects any two 
symbol errors in the first 3 symbols. 



□ 



3.5 Summary of Code Parameters 



Let us summarize the key parameters of a polynomial remainder code C both in terms 
of Hamming distance and in terms of degree-weighted distance. For the latter, the code 



parameters are (A, K, d min D) with N, K, and d min D defined as in (33), (34), (39) and with 



dminD as in (42). By the rate of the code, we mean the quantity 

^log| F | |C| = | 

where F is the underlying field. 

With respect to Hamming distance, we have the parameters (n, k, d min H) 



(54) 

and the 
we have 



symbol rate k/n. If the code C satisfies the Ordered-Degree Condition (28) 
dminH = n- k + 1. 

In the special case where all the moduli m Q (x), . . . , m n _i(x) have the same degree, the 



two triples (N, K, d min D) and (77, k, d min H) are equal up to a scale factor and the rate (54) 
equals the symbol rate k/n. 



11 



4 Error Factor Polynomial 



Decoding Reed- Solomon codes can be reduced to solving a key equation that involves an 



error locator polynomial 15 . We are going to propose such an approach for polynomial 
remainder codes. As it turns out, in general (i.e., beyond irreducible remainder codes), 
we will need a slight generalization of an error locator polynomial. 



Let C be a polynomial remainder code of the form (27). For the received y = c + e, 
where c = (c , . . . , c n _i) G C is a transmitted codeword, and where e = (e , . . . , e n _i) is 
an error pattern, let Y(x) = a(x) + E(x) denote the pre-image ip~ 1 {y) of y with ip' 1 as in 
([2]), where a(x) = ?/> _1 (c) is the transmitted-message polynomial, and where E(x) denotes 
the pre-image , -1 (e) of the error e. 

4.1 Error Factor Polynomial, Key Equation, and Interpolation 

Definition 4. An error factor polynomial is a nonzero polynomial A(x) G -F[x] such that 

A(x)E(x) mod M n (x) = 0. (55) 

□ 

Clearly, the polynomial 

gcd {E(x),M n (x)) 



is the unique monic polynomial of the smallest degree that satisfies (55). 
A closely related notion is the error locator polynomial 

A e (x) = J] m 4 (x), (57) 

which is of degree degA e (x) = Wo(e). Note that A e (x) qualifies as an error factor polyno- 
mial. In the special case where all the moduli rrii(x), < i < n — 1, are irreducible (e.g., 
for irreducible polynomial remainder codes), we have 

gcd(E(x),M n (x)) = Yl m t {x) (58) 

i:ei=0 

and thus Af(x) = A e (x). 

In any case, every error factor polynomial A(x) is a multiple of Af(x). This applies, 
in particular, to A e (x) and thus 

degA/(x) < degA e (x) = w D (e). (59) 

The following theorem is then obvious: 
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Theorem 9 (Key Equation). The error factor polynomial (56) satisfies 

A(x)M n (x) = A f (x)E(x) (60) 

for some polynomial A(x) G F[x] of degree smaller than degAj(x). Conversely, if some 
monic polynomial G(x) G F[x] satisfies 



A{x)M n {x) = G{x)E{x) 
for some A(x) G F[x], then G(x) is a multiple of A/(x). 



(61) 
□ 



For irreducible polynomial remainder codes, Aj(x) in Theorem [9] can be replaced every- 
where by A e (x) because, in this case, A/(x) = A e (x). 

The following theorem is a slight generalization of Theorem [7} 

Theorem 10 (Error Factor-based Interpolation). If G(x) is a multiple of Af(x) 
with 

deg G (x) < N-K } (62) 

then 

G(x)Y(x) mod M n (x) 



a[x) 



G{x) 



(63) 
□ 



Proof: With Y(x) = a(x) + E(x) and with G(x) satisfying (62), we have 
G{x)Y{x) mod M n (x) 



G(x) (a(x) + E(x)) mod M n (x) 
G(x)a(x) + E(x) 



with 



E{x) = G(x)E(x) mod M n {x). 



If G(x) is a multiple of Af(x), then E{x) = by Theorem^ and (63) follows 



(64) 

(65) 
□ 



For irreducible polynomial remainder codes, Af(x) in Theorem [10] can be replaced by A e (x 
and Theorem 10 reduces to Theorem [7| For non-irreducible codes, however, Theorem 10 



is 



more general than Theorem [7] because error patterns with Wo(e) > N—K but deg A/(x) < 
N — K can exist. 



4.2 Error Factor Test and Error Locator Test 



Recall t D = fr o m (52) and t H = L^J fr o m (53). 



Theorem 11 (Error Factor Test). Let y = ip(a) + e as above, let G(x) be a nonzero 
polynomial, and let 

Z(x) = G{x)Y{x) mod M n {x). 
Assume that the following conditions are satisfied: 
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1. degA/(x) < t D 

2. degG{x) < t D 

3. G(x) divides Z{x) 

4. degZ(a;) - degG(x) < K. 

Then G(x) is a multiple of Aj(x) and Z(x) = G(x)a(x). 



□ 



Note that the conditions in the theorem are satisfied for G(x) = A/ (re). Note also that 
for non-irreducible polynomial remainder codes, there may exist error patterns such that 
w o(e) > to but degAj(x) < t D . For irreducible polynomial remainder codes, Condition 1 
in Theorem 11 is equivalent to degA e (x) = wj)(e) < tD, and Af(x) in Theorem 11 can be 
replaced everywhere by A e (x). 

Proof of Theorem lilt Assume that Conditions 1-4 are satisfied. Note that Condi- 
tion 2 implies (62), and thus (64) and (65). From (64) and Condition 3, we have 

E(x) = G(x)Q(x) (66) 



for some polynomial Q{x) and (64) can be written as 

Z{x) = G(x)(a(x) + Q(x)). 
From Condition 4, we then have 

degQ(x) < K. 



(67) 



(68) 



Furthermore, from (65) and (66), we have G{x)E(x) = b(x)M n (x) + G(x)Q{x) for some 

(69) 



polynomial b(x) and thus 



Let 



G(x) (E(x) - Q(x)) = b(x)M n (x). 
A f (x) = M n (x)/A f (x) = gcd(E(x),M n (x)). 



(70) 



Since degA^(x) < to, we have degAj(x) > — to- Taking (69) modulo Af(x) yields 

G(x)Q(x) mod A f (x) = (71) 



since E{x) mod Af(x) = 0. From (71 ), we have either Q(x) = or degQ(x) > deg Af(x) — 



degG(x) > N — 2tD > K since degG(x) < to- From ( |68|), w e then conclude Q(x) = 0. 
Thus E(x) = from (66) and Z(x) = G(x)a(x) from (64). Finally, from (65) (with 
E{x) = 0) and the converse part of Theorem [9 , it follows that G(x) is a multiple of Af(x). 



□ 



If the code C further satisfies the Ordered-Degree Condition (28 ), we have the following 
analog of Theorem 11 Let N zem (G) denote the number of indices j E {0, . . . , n — 1} such 
that G{x) mod rrij(x) = 0. Note that A^ zero (A e ) = w H (e). 
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Theorem 12 (Error Locator Test). Let C be a polynomial remainder code that 
satisfies the Ordered-Degree Condition and let y = ip(a) + e as above. For some set 
S C {0, 1, . . . , n — 1} of indices, let G(x) = Yli^s m i( x ) an d let 

Z(x) = G(x)Y(x) mod M n (x). 
Assume that the following conditions are satisfied: 

1. w H (e) < t H 

2. N zcro (G) < t H and degG(x) < J27=n-t n degm^x) 

3. G(x) divides Z{x) 

4. degZ(x) - degG(x) < K. 

Then, G[x) is a multiple of A e (x) and -Z^x) = G(x)a(x). 
Note that the conditions in the theorem are satisfied for G(x) = A e (x). 



□ 



Proof: Note that Condition 2 implies (62) and Conditions 3 and 4 are the same 



as the two corresponding conditions in Theorem 11 Assume now that Conditions 1-4 



are satisfied. It is easily verified that we then have both (64)-(65) and (66)-(69) for 
some polynomial Q(x). Let S z . 
E(x) mod rrii(x) 



denote the set of indices i G {0, 1, 1} such that 

0. Equation (69) implies that, for each % e S zeTO , we have 



G(x)Q(x) mod m,i{x) = 



(72) 



and thus N zcro (Q) > \S zcm \ - N zem (G). Since N ZCIO (G) < t H and IS^I = n - w H (e) > 
n — t H , we have N zeTO (Q) > n — 2tn- It follows that N ZCTO (Q) > k, which implies either 
degQ(x) > K or Q(x) = 0. It then follows from (68) that Q(x) = 0. 

We then have E(x) = from (p6J) and thus Z(x) = G(x)a(x) from (64). Finally, 



from (165j) (with E(x) = 0) and the converse part of Theorem it follows that G(x) 



Ylips mi ( x )) ^ s a m ultiple of A e (x). 



□ 



5 Decoding by the Extended GCD Algorithm 



For Reed-Solomon codes, the use of the extended gcd algorithm to compute an error 
locator polynomial is standard 
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16 



Gcd-based decoding of polynomial remainder 
codes was proposed by Shiozaki [7 . However, the assumptions in [7] do not cover all 
codes considered in the present paper. In particular, in j7], the moduli rrii(x) are assumed 
to have the same degree and they are implicitly assumed to be irreducible, as will be 
discussed in Section 5.5 In order to properly address these issues, we need to develop 



gcd-based decoding accordingly. We then obtain several versions of gcd-based decoding 



(summarized in Section 5.4), some of which are not quite standard even when specialized 
to Reed-Solomon codes. 
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5.1 An Extended GCD Algorithm 

As in Section |4| let c be the transmitted codeword, let e be the error pattern, and let 
y = c + e be the corrupted codeword that the receiver gets to see. Let a(x), E{x) = 
^^Sq 1 Eix e , and Y(x) = J^fS^Yix 1 be the pre-images of these quantities with respect 
to ip. The general idea of gcd decoding is to compute gcd (M n (x), E(x)) despite the fact 
that E(x) is not fully known. We begin by stating the extended gcd algorithm in the 
following (not quite standard) form, where we assume for the moment that E(x) is fully 
known. 

Extended GCD Algorithm 

Input: M n (x) and E(x) with degM„(x) > degE(x). 

Output: polynomials f(x), s(x), t(x) G F[x] where r(x) = 7 gcd(M n {x),E(x)) for some 
nonzero 7 G F and where s(x) and t(x) satisfy s(x) ■ M n (x) + t(x) ■ E(x) = 0. 



1 


if E(x) = begin 




2 


r(x) := M n (x), s(x) := 


= 0, t(x 


3 


return r(x), s(x), t(x 


) 


4 


end 




5 


r(x) := M n (x) 




6 


r(x) := E(x) 




7 


s(x) := 1 




8 


t(x) := 




9 


s(x) := 




10 


t(x) := 1 




11 


loop begin 




12 


i := degr(x) 




13 


j := degf(x) 




14 


while i > j begin 




15 


q(x) := f- x l ~ j 




16 


r(x) := r(x) — q(x) 


• fix) 


17 


s(x) := s(x) — q(x) 


■ s(x) 


18 


t(x) := t(x) — q(x) 


■t(x) 


19 


i := degr(x) 




20 


end 




21 


if r(x) = begin 




22 


return r(x), s(x), 


t(x) 


23 


end 




24 


(r(x),f(x)) := (f(x),r 


{*)) 


25 


(s(x), six)) := (six), si 




26 


(t(x),t(x)) :=(t(x),t(x)) 


27 


end 
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□ 



The inner loop between lines 14 and 20 essentially computes the division of r(x) by f(x). 



In line 15l r, denotes the coefficient of x l in r(x) and fj denotes the coefficient of x 3 in 



f(x). For polynomials over F = GF(2), the scalar division ri/fj in line 15 disappears 
Theorem 13 (GCD Loop Invariants). The condition 

gcd (M n (x), E(x)) = gcd (r(x),r(x)) 
holds everywhere after line [6] The condition 

r(x) = s(x) ■ M n (x) + t(x) ■ E(x) 
holds both between lines [13] and [14] and between lines [20] and [21] The condition 

degM n (x) = degf(x) + degt(x) 

holds between lines [20] and 



(73) 



(74) 



(75) 
□ 



Equations ( 73 ) and ( 74 ) are the standard loop invariants of extended gcd algorithms, cf . 



e.g. 15 . The proof of Theorem 13 is given in Appendix B 



Theorem 14 (GCD Output). When the algorithm terminates, we have both 



r(x) 



7 gcd(M n (x),E(x)) 
M n {x) 



7 



A/(x) 



for some nonzero 7 G F and 

t(x) = ^A f (x) 

for some nonzero 7 £ F. Moreover, the returned s(x) and t(x) satisfy 

s(x) ■ M n (x) + t(x) ■ E(x) = 0. 



(76) 
(77) 

(78) 



(79) 
□ 



Proof: If E(x) = 0, the algorithm terminates at line and (76)-(79) are easily verified 



We now prove the case where E(x) 7^ 0. Equation (|76|) follows from (|73|) and (77) 



follows from (56). It remains to prove (78) and (PF9J). With r(x) = and from (74) 



Equation (79) follows. We then conclude from the second part of Theorem [9] that t(x) is 
a multiple of Af(x). Finally, it follows from (75) and (77) that t(x) and Af(x) have the 
same degree. 



□ 



From (78), we see that the gcd algorithm computes the error factor polynomial Aj 



(up to a scale factor). The main idea of gcd decoding (discovered by Sugiyama [16]) is 
that this still works even if E(x) is only partially known. 
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5.2 Modifications for Partially Known E(x) 

Recall that Y(x) = a(x) + E(x) where E(x) = ^2^=^ E? x l is the pre-image of e. Since 
dega(x) < K, the receiver knows the coefficients E K ,E K+ i, . . . ,E N _i of E(x), but not 
Eq, . . . , Ek-i- With the following modifications, the Extended GCD Algorithm of Sec- 
tion 



5.1 can still be used to compute (78). 



Partial GCD Algorithm I 

Input: M n (x) and Y(x) with degM n (x) > degF(x) 



Output: r(x), s(x) and t(x), cf. Theorem 15 below 



The algorithm is the same as the Extended GCD Algorithm of Section |5.1| except for 
the following changes: 

• Line [I] if degY(x) < K begin 

• Line [2] r{x) := Y{x), s(x) := 0, t(x) := 1 

• Line [6] f(x) := Y(x) 

• Line I 



or alternatively 



Theorem 15. If 



if degr(x) < degt(x) + K begin 
if degr(a;) < (N + K)/2 begin 

degA/(x) < (A - K)/2, 



(80) 

(81) 
□ 

(82) 



then the Partial GCD Algorithm I (with either (80) or (81 )) returns the same polynomials 
s(x) and t(x) (after the same number of iterations) as the Extended GCD Algorithm of 
Section 5.1[ Moreover, the returned r(x) is such that 



r(x) = t(x)a(x). 



□ 



The proof is given in Appendix B. Note that a(x) can be recovered directly from (83). 



5.3 Alternative Modifications for Partially Known E(x) 

The Partial GCD Algorithm I of the previous section involves a lot of computations 
with the unknown lower parts of E(x). These computations are avoided in the following 
algorithm, which works only with the known part of E(x) as follows. Let 



Eu(x) 



N-K-l 

E * 

1=0 



K+£X 



N-K-l 



K+£X , 



34) 
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which is the known upper part of E(x) = ^2f =Q l Eix e , and let 



N-K 



35) 



1=0 



be the corresponding upper part of M n (x) = ^2i =0 {M n )ex 
Partial GCD Algorithm II 

Input: Mu{x) and Ejj{x) with degM^x) > degEjj{x). 



Output: s(x) and t(x), cf. Theorem 16 below 



The algorithm is the same as the Extended GCD Algorithm of Section 5_A 
the following changes: 

• Line [I] if Ejj(x) = begin 

• Line [2) s(x) := 0, t(x) : = 1 

• Line [5] r(x) := M v (x) 

• Line [6] f(x) := Eu(x) 

• Line[2TJ 



except for 



or alternatively 



if degr(x) < degt(a;) begin 
if degr(x) < (N — K)/2 begin 



36) 

37) 
□ 



Theorem 16. If the condition (82) is satisfied, then the Partial GCD Algorithm II (with 



either (86) or (87)) returns the same polynomials six) and t(x) (after the same number 



of iterations) as the Extended GCD Algorithm of Section 5.1 



□ 



The proof is given in Appendix C. Note, however, that this algorithm does not compute 



r(x) as in (83). 



5.4 Summary of Decoding 

We can now put together several decoding algorithms that consist of the following three 
steps. The relation of all these decoding algorithms to the prior literature is discussed in 
Section 15.51 

1. Transform: Compute Y(x) = ip~ 1 (y). If degY(x) < K, we conclude E(x) = 
and a(x) = Y(x), and the following two steps can be skipped. 
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2. Partial GCD: If degF(x) > K, run either the Partial GCD Algorithm I (Section 



5.2) or the Partial GCD Algorithm II (Section 5.3). Either algorithm yields the 



polynomial t(x) = 'yAf(x) (for some scalar 7 6 F) provided that degAj-(x) < 
(N-K)/2. 

If degt(x) > (N — K)/2, we declare a decoding failure. 

Depending on Step 3 (below), the computation of the polynomials s(x) and s(x) 
may be unnecessary. In this case, lines [7] |9j [17], and [25] of the gcd algorithm can be 
deleted. 



3. Recovery: Recover a(x) by any of the following methods: 

, , t(x)Y(x) mod MJx) 



(a) From (63), we have 



a(x) 



t(x) 



(If the numerator of (88) is not a multiple of t(x) or if dega(x) > K, then 
decoding failed due to some uncorrectable error.) 

(b) When using the Partial GCD Algorithm I in the Step 2, we can compute 
a(x) = r(x)/t(x) according to (83). 

(If t(x) does not divide r(x) or if dega(x) > K, we declare a decoding failure.) 



(c) Alternatively, from (79), we can compute 

-s(x) ■ MJx) 



Ex) 



t(x) 



i9) 



and then obtain a(x) = Y(x) — E(x). 

(If the numerator of ( [89] ) is not a multiple of t(x) or if dega(x) > K, we declare 
a decoding failure.) 

The computation can be simplified as follows. Let El(x) — E(x) — x k Ejj(x) 
denote the unknown part of E(x). Then 



E L (x) 



-s(x) ■ M n (x) - x K t(x)E v (x) 
t(x) 



(90) 



and a(x) can be recovered by a(x) = J^^q 1 Ytx 1 — El{x). 

As stated, the described decoding algorithms are guaranteed to correct all errors e with 
degAj(x) < to, which by (59) implies that they also correct all errors e with W£>(e) < to 
(52). If the code satisfies the Ordered-Degree Condition (28) as well as the additional 
condition 



degm k (x) 



degm n _i(x) 



(91) 



then the algorithm is guaranteed to correct also all errors e with wn(e) < tn (53) since in 
this case, from (57), w H (e) < tn implies wc(e) < to- 
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An Extension 



Assume that the code satisfies the Ordered-Degree Condition ( 28 ) but not the additional 
condition (91). In this case, we can still correct all errors e with wn(e) < tn (in addition 
to all errors with wo(e) < to) by the following procedure, which, however, is practical 
only in special cases. 

Decoder with List of Special Error Positions 

First, run the gcd decoder of the previous section. If it succeeds, stop. Otherwise, let S\ 
be a precomputed list of candidate error locator polynomials G(x) with N zem {G) < tn and 
degG(x) > (N — K)/2. Check if any G(x) G S\ satisfies all conditions of Theorem 12 
If such a polynomial G(x) exists, we conclude that it is a multiple of the error locator 
polynomial and we compute a(x) from (63). □ 



5.5 Relation to Prior Work 



The idea of gcd-based decoding is due to Sugiyama 16 and its application to polynomial 
remainder codes is due to Shiozaki |7|. As it turns out, most (and perhaps all) gcd-based 
decoding algorithms in the literature, both for Reed-Solomon codes and for polynomial 
residue codes, are essentially identical to one of the algorithms of Section |5.4[ However, 



even when specialized to Reed-Solomon codes, no single paper (not even 

mini) 

seems 

to cover all these algorithms. In particular, recovering a(x) by ([88]) does not seem to have 



appeared in the literature. For Reed-Solomon codes, the work by Gao 17 appears to be 



the most pertinent, see also 18,19 . As for polynomial remainder codes, our algorithms 
overcome the limitations of Shiozaki's algorithm [7] as will be discussed below. 



Relation to Gao's Decoding Algorithms for Reed-Solomon Codes 



In the same paper [17] from 2003, Gao proposed two algorithms for decoding Reed- 
Solomon codes. Each algorithm comprises three steps, and the first step of each algorithm 



is essentially Step 1 ("Transform") of Section 5.4 



Gao's first algorithm: Step 2 of this algorithm is essentially the Partial GCD Algo- 



Step 3.b in Section 5.4 



rithm I of Section 5.2 with (81) as the stopping condition. Step 3 is identical to 



As pointed out in [19] , this algorithm is actually identical to Shiozaki's 1988 algo- 
rithm for decoding Reed-Solomon codes [7]. 

Gao's second algorithm: The stopping condition of the gcd-algorithm (Step 2) as 
stated in [17] is not quite correct: it should be changed from degg(x) < (d + l)/2 
to degg(x) < {d— l)/2 where d = n — fc + lis the minimum Hamming distance of 
the code. 

With this correction, Step 2 of this algorithm is identical to the Partial GCD Algo- 



rithm II of Section 5.2 with (87) as the stopping condition. Step 3 of the algorithm 
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turns out to be equivalent to the first part of 3.c in Section 5.4 i.e., computing 
a(x) = Y(x) - E(x) with E(x) as in (§). 



Relation to Shiozaki's Decoding Algorithms 

In [7], Shiozaki proposed a new version of gcd-based decoding for Reed-Solomon codes, 
which he also extended to polynomial remainder codes. (For Reed-Solomon codes, Shio- 
zaki's algorithm is equivalent to Gao's first decoding algorithm, as noted above.) 

Shiozaki's algorithm also consists of three steps: the first step agrees with Step 1 in 
Section 5.4, the second step is equivalent to the Partial GCD Algorithm I with (81) as 
the stopping condition, and the third step is identical to Step 3.b of Section 5.4). 

However, the assumptions in [7] do not cover all codes considered in the present paper. 
First, it is assumed in [7] that all the moduli rrii(x), < i < n — 1, have the same degree. 

Second, the argument given in [7] seems to assume that all the moduli are irreducible 
although this assumption is not stated explicitly. Specifically, Shiozaki derived a con- 
gruence (see (37) in |7|) involving an error locator polynomial as defined in (57), and 
then used the gcd-based decoding algorithm to solve the congruence. However, if the 
moduli are not irreducible, then the gcd-based decoding algorithm will find an error fac- 
tor polynomial (56) (as shown in our Theorems 14 and 15) rather than an error locator 
polynomial. 



6 Conclusion 

We considered polynomial remainder codes and their decoding more carefully than in 
previous work. We explicitly allowed the code symbols to be polynomials of different 
degrees, which leads to two different notions of weight and distance and, correspondingly, 
to two different Singleton bounds. 

Our discussion of algebraic decoding revolved around the notion of an error factor 
polynomial, which is a generalization of an error locator polynomial. From a correct error 
factor polynomial, the transmitted codeword can be recovered in various ways, including 
a new method for erasures-only decoding of general Chinese remainder codes. 

Error factor polynomials can be computed by a suitably adapted partial gcd algorithm. 
We obtained several versions of such decoding algorithms, which generalize previous work 
and which include the published gcd-based decoders of Reed-Solomon codes as special 
cases. 
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Appendix A: The Number of Monic Irreducible Poly- 
nomials 



The number of monic irreducible polynomials of any degree over any finite field can be 
expressed in closed form 15 . However, this closed-form expression is not easy to evaluate. 



Therefore, for the convenience of the reader, we tabulate some of these numbers. 
The first table gives the number Ni of binary irreducible polynomials of degree i: 



i 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


N 


2 


1 


2 


3 


6 


9 


18 


30 


56 


99 


186 


335 


Si 


2 


4 


10 


22 


52 


106 


232 


472 


976 


1966 


4012 


8032 



i 


13 


14 


15 


16 


N 


630 


1161 


2182 


4080 


Si 


16222 


32476 


65206 


130486 



The table also gives the number Si — Yl\=i ^i-i which is the maximum degree of M n (x) 
of a polynomial remainder code that uses only irreducible moduli of degree at most i. 

The second table gives the number N of monic irreducible polynomials over GF(2 J ) 
of degree v. 





GF(2 2 ) 


GF(2 4 ) 


GF(2 6 ) 


GF(2 8 ) 


GF(2 10 ) 


GF(2 12 ) 




4 


16 


64 


256 


1024 


4096 


N 2 


6 


120 


2016 


32640 


523776 


8386560 



E.g, over GF(2 8 ), there are 256 monic irreducible polynomials of degree 1 and 32640 
polynomials of degree 2. 



Appendix B: Proof of Theorem 15 



In this section, we first prove the loop invariant properties of the Extended GCD Algorithm 



in Section pA\ and the Partial GCD Algorithm I in Section [572] , and then proceed to prove 
Theorem [T5j 



We begin with the Extended GCD Algorithm of Section 5.1 In order to prove Theo- 



rem 



13, we first recall that, for R = Z or R = F[x] for some field F, 

gcd (a, 6) = gcd (a + qb, b) 



(92) 



for all a, b, q G R, provided that a and b are not both zero. It follows that (73) holds 
everywhere after line [6l 



The other claims of Theorem 13 are covered by the following lemma. 
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Lemma 1 (GCD Loop Invariant). For the Extended GCD Algorithm in Section 5.1 
the condition 

r(x) = s(x) ■ M n (x) + t(x) ■ E(x) (93) 
holds both between lines [13] and [14] and between lines [20] and [21] For the Partial GCD 



Algorithm I in Section |5.2[ the condition 

r(x) = s(x) ■ M n (x) + t(x) ■ Y(x) 



(94) 



also holds both between lines [13] and [14] and between lines [20] and 
For both algorithms, the conditions 

degr(x) < degf(x) 

degt(x) > degi(x) 

degM n (x) = degf(x) + degt(x) 

hold between lines [20] and 



(95) 
(96) 
(97) 



Specifically, let bg denote the degree of q(x) (line 15) in the first iteration of the while 



block (lines 14 -20) of the £-ih loop iteration. Then, for the respective algorithms, 



degt(x) = degt(x) + 5i = ^]S V 



(91 



v=l 



holds between lines 20 and 21 in the £-th loop iteration 



□ 



Proof: Conditions (93) and (94) are loop invariants (of the respective algorithms), 



as is easily verified. Inequality (95) is obvious. It remains to prove (96)-(98). For both 



algorithms, assume the conditions 



degr(a;) > degr(x) 
degt(x) < degt(x) 
degM n (x) = degr(x) + degt(x) 



(99) 
(100) 
(101) 



hold between lines 



13 



and 



14 



in the £-th loop iteration. Note that r(x), r(x), t(x), and t(x) 



are initialized to M n (x), E(x) or Y(x), 0, and 1, respectively; thus (99 )— ( 101 ) obviously 
hold between lines [13] and 14 in the first iteration. In the following, we begin with I = 1 



and then complete the proof by induction. 

For both algorithms, let dg = degr(x) denote the degree of r(x) between lines 13 and 14 



in the ^-th loop iteration, and let 5i denote the degree of q(x) (line 15 ) in the first iteration 



and from (101) 



of the while block (lines 14-20) of the £-th loop iteration. Note that bi = de-degr(x) > 



degM„(x) = di + degt(x). 



(102) 



Recall that, from (100), degt(x) < degt(x) holds before entering the while block, and 



recall the update rule for t(x) in line 18 Clearly, in the first execution of line 18, the 
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degree of t(x) is increased to deg t(x)+5e, and further iterations inside the while block will 
not change degt(x) since degq(x) decreases in each iteration. It follows that degt(x) = 
degt(x) + 5i holds between lines 20 and 21, and in particular, degt(x) = 5\ holds when 
1 = 1 because degt(x) = holds throughout the while block of the first loop iteration. 
Thus, (96) and (98) both hold between lines 20 and 21 in the first loop iteration. Further, 
since 5e = dg — degf(x), we have 



degt(x) = degt(x) + dg — degf(x) 
= degM n (x) — deg r(x), 



(103) 
(104) 



where the last step follows from (102), and thus (97) holds between lines 20 and 21 in the 
£-th loop iteration. 



After the swaps of the corresponding auxiliary polynomials in lines \2A 26 the con- 



ditions (99)-(101) hold again between lines 13 and 14 for the subsequent loop iteration. 
In particular, for i = 2, degt(x) = 5\ holds between lines 13 and 14 in the second loop 
iteration. The proof is then completed by induction. 



□ 



We now start to prove Theorem 15 If E{x) 
orem 



0, which implies degY(x) < K, The- 



15 holds obviously; we thus prove in the following only the case where E(x) ^ 0. 



For the Partial GCD Algorithm I in Section 5^2, let g denote the largest integer such that 
the coefficient of x 9 of either r(x) or of f(x) is unknown, or alternatively let g denote 
the largest integer such that the coefficient of x 9 of either r(x) or of r(x) is "probably 
unmatched" with the corresponding r(x) or the corresponding r(x) in the Extended GCD 



Algorithm of Section 5.1 when we run both algorithms simultaneously. Clearly, the al- 
gorithm starts with g = K — 1, since the coefficients E , E\, . . . , Ek-i of r(x) := Y(x) 
(line are unknown. Moreover, let h = max{degr(x), degr(x)}. Clearly, the algorithm 
starts with h = degM n (x) = N. 



Lemma 2. For the Partial GCD Algorithm I of Section 5.2, let Sg denote the degree of 
q(x) in the first iteration of the while block (lines 14-20) of the £-th loop iteration. If 
h — g > 25e holds between lines 13 and 14, then the value of q(x) (line 15) throughout 



the while block in the 0.-th loop iteration is exactly the same as the corresponding one 



of the Extended GCD Algorithm of Section 5.1 in the same loop iteration. In addition, 
g = (K — 1) + Yll=i $v an d h = N — Ylt=i $v both hold between lines 20 and 2l] in the 
£-th loop iteration. □ 

Proof: We will prove this theorem by induction. Recall that the update rule for r(x) 
in line [TBI is 

r(x) := r(x) — q(x) ■ r(x). (105) 
In the first loop iteration, h = degr(x) = N and g = K — 1 clearly hold between lines 13 



and 14, and g is the largest integer such that the coefficient of x 9 of r(x) is unknown. If 
h — g > 25i holds between lines 13 and 14, then the first execution of (105) in the while 



block increases g by Si, afterwards, further iterations in the same block will not change 
g since degq(x) decreases in each iteration. Moreover, after executing the while block, 
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h = degr(a;) = N — 8\ holds between lines 20 and 21 It is also easily seen that throughout 



the while block, the value of q(x) in line 15 is exactly identical to the corresponding one 
of the Extended GCD Algorithm. 

Note that the increased g, i.e., after the first execution of (105), will become to denote 
the largest integer such that the coefficient of x 9 of r(x) is unknown. It follows after the 
swap of r(x) and r(x) in line 24 that the increased g will again become to denote the 



largest integer such that the coefficient of x 9 of f(x) is unknown between lines 13 and 14 



for subsequent loop iteration, and the decreased h will again become to denote degr(x) 
between lines [13] and 14 for subsequent loop iteration. The proof is then completed by 
induction. □ 



Since h — g = N — K + 1 holds between lines 13 and 14 in the first loop iteration, it follows 
from Lemma [2] that if 



2j2$v < N - K + 1, 



(106) 



then, from the first to the £-th loop iteration, q(x) and thus s(x) and t(x) are exactly the 
same as in the Extended GCD Algorithm. Moreover from Lemma [lj degt(x) = Y^fv=i 
holds between lines 20 and 21 In order to obtain (78), which implies that degt(x) = 
degAj(x), it turns out from (106) that if 



2degA / (x) <N-K, 



(107) 



which agrees with (82), then the algorithm maintains exactly the same s(x) and t(x) as 
the Extended GCD Algorithm of Section 5.1 until degt(x) = deg A j (2). 



It remains to argue the validity of (80) and (81) (i.e., line 21 in the Partial GCD 



Algorithm I) as appropriate terminating conditions. Assume now that (82) is satisfied 



and suppose the Extended GCD Algorithm (in Section 5.1) terminates (at line 22) in the 
/i-th loop iteration. We will show in the following that the Partial GCD Algorithm I also 



terminates (at line 22) in the /i-th loop iteration. 

As shown above, since both the gcd algorithms maintain exactly the same s(x) and 
t(x) until degt(x) = degA/(x), clearly, before the /i-th loop iteration, 



degt(x) < deg A f (x) < (N — K)/2 
holds between lines 20 and 21; moreover, by (97) of Lemma [TJ 



degr(x) = deg M n (x) — degt(x) 

> (N + K)/2 

> degt(x) + K 



(108) 



(109) 
(110) 
(111) 



also holds between lines 20 and 21. Further, from (96), degt(x) > degt(x) holds as well 
between lines |20l and |2T1 Therefore, 



degr(x) > (N + K)/2 > degt(x) + K > degt(x) + K 



112) 
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holds between lines 20 and 21 in every but before the /x-th loop iteration. It then follows 
after swapping all auxiliary polynomials in lines 24 26 that 



degr(x) > (N + K)/2 > degt(x) + K > degt(x) + K 



;ii3) 



holds between lines 13 and [14] for each subsequent loop iteration. Then, after executing 



the while block in the /i-th loop iteration, the Extended GCD Algorithm in Section 5.1 
terminates with r(x) = 0, and (79) holds; meanwhile, for the Partial GCD Algorithm I, 
we obtain the desired t(x) (with degt(x) = degA/(x)) and s(x), and we have from (94) 



r(x) = s(x)M n (x) +t(x)Y(x) 

= s(x)M n (x) +t(x)E(x) +t(x)a(x) 
= t(x)a(x) 



;ii4) 
lis) 

116) 



of degr(x) = degt(x) + dega(x) < degt(x) + K, where (115) to (116) follows from (79). 



Finally, since from (113) degr(x) > degt(x) + K holds between lines 13 and 14 but from 



(116) degr(x) < deg t(x)+K holds between lines 20 and 21, thus the correctness of (80) as 



a terminating condition is guaranteed; meanwhile from (116) we obtain (83). As for (81) 



since from (113) degr(x) > (N + K)/2 holds between lines 13 and 14 but (from (116) and 



then (82)) degr(x) < degt(x) + K = degA f (x) + K < (N + K)/2 holds between lines 20 



and 21, we thus conclude that (81) can serve as an alternative terminating condition. 



Appendix C: Proof of Theorem 16 



In this section, we prove Theorem [16] in an analogous way as proving Theorem [15} The 
following theorem is an analog of Lemma [TJ 



Lemma 3 (GCD Loop Invariant). For the Partial GCD Algorithm II in Section 5.3 
the condition 

r(x) = s(x) ■ Mjj(x) + t(x) ■ Eu(x) (117) 



holds both between lines \T3\ and [14l and between lines 20 and Ell moreover, the conditions 



degr(x) 
degt(x) 
deg M v {x) 



< 



degr(x) 
> degt(x) 
= deg f (x) + deg t (x) 



(118) 
(119) 
(120) 



hold between lines [20] and | 

Specific ally^ let 5t denote the degree of q(x) (line [15]) in the first iteration of the while 

□ 



block (lines 14-20) of the £-th loop iteration. Then, degt(x) = degt(x) + 5g 



holds between lines \2U\ and 21 in the £-th loop iteration. 



The proof of Lemma [3] is the same as the proof of Lemma [TJ except for replacing the 
M n (x) in the proof of Lemma [l] by Mu(x), and is thus omitted. 
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We now start to prove Theorem 16 If E(x) = 0, which implies Eu(x) = 0, Theorem 16 
holds obviously; we thus prove in the following only the case where E{x) ^ 0. For the 



Partial GCD Algorithm II of Section 5.3, let g denote the largest integer such that x 9 of 
either r(x) or of f(x) is unknown. Clearly, with Mjj(x) and Ejj(x) as inputs, the algorithm 
starts with g = —1. Moreover, let h — max{degr(x), degf(x)}. Clearly, the algorithm 
starts with h = deg Mu(x) = N — K. 



Lemma 4. For the Partial GCD Algorithm II in Section 5J3 let Si denote the degree of 
q(x) in the first iteration of the while block (lines 14-20) of the £-th loop iteration. If 
h — g > 25g holds between lines 13 and 14, then the value of q(x) (line 15) throughout 
the while block in the £-th loop iteration is exactly the same as the corresponding one 
of the Extended GCD Algorithm of Section 5T in the same loop iteration. In addition, 

9 = -1 + J2v=i $v and h 
£-th loop iteration. 



N — K — ^2 v=l 5 V both hold between lines 



20 



and |21| in the 

□ 



The proof is similar to that of Lemma [2] and is thus omitted. Since h — g = N — K + 1 
holds between lines 13 and 14 in the first loop iteration, it follows from Lemma [4] that 
if 2 Yll=i S v < N — K + 1, then, from the first to the £-th loop iteration, q(x) and thus 
s(x) and t(x) are exactly the same as in the Extended GCD Algorithm. Moreover, from 
Lemma ij degt(x) = Y^u=i$v holds between lines 20 a 
which implies that degt(x) = degAj(x), it turns out that if 
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In order to obtain (78) 



2degAj 



[x, 



<N-K, 



121) 



which agrees with (82), then the algorithm maintains exactly the same s(x) and t(x) as 
the Extended GCD Algorithm of Section 5.1 until degt(x) = deg Ay (a;). 



It remains to argue the validity of (86) and (87) as appropriate terminating conditions. 
Assume that (|82~)) is satisfied and suppose the Extended GCD Algorithm (in Section 5.1) 



terminates (at line 22 ) in the fx-th loop iteration. As shown above, it has been clear that 



the Extended GCD Algorithm in Section [5TT] and the Partial GCD Algorithm II maintain 
exactly the same s(x) and t(x) until degt(x) = degAj(x). Thus, before the //-th loop 
iteration 

degt(x) < deg A/(x) < (N - K)/2 (122) 



holds between lines 20 and 21; moreover, by (120) of Lemma 3 



degr(x) 



> 
> 



deg Mjj(x) — degi(x) 
(N -K)/2 
degt(x) 



(123) 
(124) 
(125) 



21 



also holds between lines 20 and 21 for the Partial GCD Algorithm II. Further, from (j 1 1 9[) , 
degt(x) > degt(x) holds as well between lines 20 and 
Algorithm II, 



Therefore, for the Partial GCD 



degr(x) > (N — K)/2 > degt(x) > degt(x) 



126) 
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holds between lines 20 and 21 in every but before the /x-th loop iteration. It then follows 
after swapping all auxiliary polynomials in lines 24 26 that 



degr(x) > (N - K)/2 > degt(x) > degt(x) 



(127) 



holds between lines 13 and [14] for each subsequent loop iteration. Then, after executing 
the while block in the /i-th loop iteration, we obtain the desired t(x) (with degt(x) = 
degAj(x)) and s(x) that coincide with the corresponding ones of the Extended GCD 
Algorithm in Section 5.1 thus t(x) and s(x) (in the Partial GCD Algorithm II) at this 



moment satisfy both (117) and (79). From (79), we have 



- s(x)M n (x) = t(x)E(x) 



:i28) 



with degs(x) < degt(x). Note that (128) can also be written as 

- s(x)(x K Mu(x) + M L {x)) = t(x)(x K Eu(x) + E L {x)), (129) 
where Mu(x) and Eu(x) are defined in Section 5.3 and Ml(x) = M n (x) — x K Mu(x) and 



E L (x) = E(x) -x K Eu(x). Further, let V(x) = -s(x)M L {x) -t(x)E L (x) = J2e=o V t x > 
which is of degree degV(x) < (K — 1) + degt(x) because degs(x) < degt(x). Equation 



(129) can then be written as 

x K {s{x)Mu(x) + t{x)E u {x)) = V(x). 



(130) 



Observing the left hand side of (130), we know that all the terms on the right hand side of 



(j 1 30|) of degree less than K will vanish. Thus, we have the following equivalent expression 

(131) 



for (130): 



where Vrr(x) 



s(x)M u (x)+t(x)E u (x) = Vu(x) 
Y.e=o V K+e % e has degree 



degVu(x) 



= degV(x)-K 

< (K- 1) +degt(x) 

< degt(x). 



K 



(132) 



Comparing (131) with (117) and from (132), clearly, degr(x) = degVjj(x) < degt(x) 



which coincides with (86), holds between lines 20 and 21 in the /i-th loop iteration 



(127) degr(x) > degt(x) holds between lines 13 and 14). On the other hand, since from 



Thus, the correctness of (86) as a terminating condition is guaranteed (because from 



(127) degr(x) > (N — K)/2 holds between lines 13] and |I4| but degr(x) < degt(a; 
degAj(x) < (N — K)/2 holds between lines 20 and 



21 



we thus conclude that (87) can 



serve as an alternative terminating condition. 
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